[Bro] Client identification from bro logs
Po-Ching Lin
pachinko.tw at gmail.com
Fri Sep 4 22:50:08 PDT 2015
Hi all,
It is well known that a client may be behind NAT or using DHCP, so identifying
an individual client solely from the IP address is unreliable. To track a client's behavior
from Bro logs, it is therefore important to separate the clients behind NAT or using DHCP.
Some passive methods for client identification were presented long ago, such as
https://www.cs.columbia.edu/~smb/papers/fnat.pdf, or
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1453529&tag=1
The features leveraged by the above two papers, IP identifier and TCP timestamp
option, are unavailable from default Bro logs. I would like to know whether the existing
Bro design has a solution to this issue. Many thanks.
Po-Ching
More information about the Bro
mailing list